Menu

Tag Archives: application security

Decoding Weak CAPTCHA’s

TLDR; Weak CAPTCHA services utilized on the internet can be programmatically solved with a fairly high success rate.

Problem

A lot of firms, including mine, have begun to recommended CAPTCHA’s be used on all web forms which feed into existing business processes (registration pages, contact pages, etc). This recommendation can be a double edged sword, because there are still several CAPTCHA services that utilize weak CAPTCHA’s, which can be readily decoded with modern image analysis techniques. That being said several individuals have asked if there is a systematic way to test the strength of a given CAPTCHA, to determine weather it’s weak or not.

Solution

There are two major methodologies currently being widely used to decode weak CAPTCHA’s. The first technique is to remove the noise from CAPTCHA images by reversing the programmatic functions, used to add visual abstractions. Then simply comparing each character to a set of known sample characters. This method relays heavily on evaluating each weak CAPTCHA service offering and creating reliable function sets to solve individual CAPTCHA’s. The best tool for using this technique to test for known weak CAPTCHA types is pwntcha.

The second methodology uses vector based image analysis to compare each pixels location to the expected location given, each possible character. After consolidating all of these pixel location checks, each possible character is ranked based on its probability of being correct. The success of this method relays heavily on the use of a reference font, thus if the reference font and the CAPTCHA’s font are distantly different the analysis won’t go well. The best freely available tool I’ve found using this technique to test the strength of CAPTCHA’s is captcha-decoder.

How to use

Unfortunately almost every implementation of CAPTCHA’s is going to be different enough to make web scrapping a sample set of CAPTCHA images difficult. Thus the first step is always going to be downloading three to five CAPTCHA images for testing.

Then we can run each image through pwntcha and see if it can identify the image as a known weak CAPTCHA type.

Pwntcha <img>

Test run using Paypal’s known weak CAPTCHA samples 100/100

Test run of vBullentin’s known weak CAPTCHA samples 100/100

Last we can run captcha-decoder on each of the sample images to try and get an idea if vector based analysis is going to be successful. You will have to use your best judgment once you receive the results to determine if the risk is high enough to create an issue. Generally if all the correct letters are guessed with over 70% confidence the CAPTCHA should be considered weak. However an organization may believe 70% is too high and may only have a much lower tolerance.

TL;DR: mRemoteNG uses insecure methods for password storage and can provide droves of valid credentials during an assessment or competition.

Level Set

mRemoteNG (mremote) is an open source project (https://github.com/rmcardle/mRemoteNG) that provides a full-featured, multi-tab remote connections manager. It currently supports RDP, SSH, Telnet, VNC, ICA, HTTP/S, rlogin, and raw socket connections. Additionally, It also provides the means to save connection settings such as hostnames, IP addresses, protocol, port, and user credentials, in a password protected and encrypted connections file.

Problem

During a recent pentest, I was struggling to gain additional administrative access to key systems ,even with standard user authentication. However, during some share pillaging I found a backup of an old mRemote connections file. The connections file houses all the information needed to gain remote access to a given system (IP/Hostname, Protocol, Port, Username, and Password). However, the credentials are encrypted, by default, and the connections file was protected by a master password.

Solution

It turns out, the master password is just used by the program to determine whether or not to load in the selected connections file. The stored credentials are actually encrypted with a static string, not the master password. This creates a scenario wherein the master password hash can simply be replaced with a blank password hash, to bypass the master password prompt. Once the connections file is loaded, the program even has the ability to add additional “External tools”, which allow for access to the programs variables and memory space. This allows for simple echo commands to be added to reveal hidden details about each connection, such as the clear text password.

How to Access The Clear Text Credentials

Method 1: Using the Program itself

To start ensure that mRemoteNG is closed or download the portable version of the application.

Second navigate to the default mRemoteNG data folder (C:\Users\\AppData\Roaming\mRemoteNG) or acquire the connections configuration file. Alternatively, enter the path %appdata%/mRemoteNG into Start/Run, to go directly to the default installation location. Or use the portable version of the application, for any backup files you may have discovered while pillaging.

Third open the connections configuration file (by default called confCons.xml) in your favorite text editor.
Then, on the second line, locate the Protected=”a bunch of numbers/letters” string and replace it with the value below.Protected=”GiUis20DIbnYzWPcdaQKfjE2H5jh//L5v4RGrJMGNXuIq2CttB/d/BxaBP2LwRhY”
Note: This is just a master password hash of blank, to allow for the connections file to be loaded.

Next, just re-open mRemoteNG and load the connections file, by simply submitting a blank password to the master password prompt.

To see the clear text of a given password, go to “Tools” > “External Tools”. Then right-click in the white space and choose “New External Tool”. Next, in the External Tools Properties, fill in a “Display Name”, “Filename” and some “arguments”, with “Password lookup”, CMD and “/k echo %password%” respectively.

Finally, go to the connection where you would like to reveal the connection and right-click on it and choose “External tools” > “Password lookup”.

Method 2: Using an Offline Decoder

A modified version of the Metasploit module Ruby code, can be used to get the clear text passwords from within a protected connections file.

Method 3: Using the Metasploit Post Module

Once you have a meterpreter shell on an administrators system that has mRemoteNG installed, simply run the post module with the following command and enjoy clear text.run post/windows/gather/credentials/mremote

Note: mRemoteNG is a platform agnostic program, however the post module only works on Windows and will only parse the default connections file (confCons.xml) and location (%appdata%/mRemoteNG).